Breach Roundup: CISA Says Agencies Should 'Patch Smarter'
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch high-risk vulnerabilities within three days if they meet specific exploitation risks, adopting a new prioritization framework. Meanwhile, a global cybersecurity roundup highlighted incidents including a French government messaging breach, Microsoft’s AI-related attack warnings, and ongoing ransomware threats.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a binding directive requiring federal agencies to patch high-risk vulnerabilities within three days if the affected systems are publicly exposed, the flaw is listed in CISA’s Known Exploited Vulnerabilities Catalog, and exploitation could grant attackers total or automated partial control. The directive, titled BOD 26-04, replaces the traditional CVSS scoring system with the Stakeholder-Specific Vulnerability Categorization (SSVC) framework to align patching efforts with real-world risks. Agencies must also assess whether vulnerable systems may already be compromised before remediation. The new rules mark a shift from broad patching mandates to a more targeted approach, though critics like Tod Beardsley, vice president of security research at runZero, question whether a three-day deadline is feasible across over 100 agencies. CISA’s acting executive assistant director for cybersecurity, Chris Butera, and senior technical advisor Jonathan Spring emphasized the need for agencies to 'patch smarter, not harder.' Separately, a roundup of global cybersecurity incidents revealed multiple threats. Software supply-chain hackers used fake nuclear weapons prompts to trigger AI security scanners, evading detection in a new tactic tied to past attacks like Mini Shai-Hulud. A suspected Russian nation-state hacker appeared in Boston federal court, while Microsoft warned that attackers are exploiting the AI boom by impersonating tools like ChatGPT and Copilot. The company also patched 200 vulnerabilities, including six zero-days. French authorities investigated a breach of the government’s Tchap messaging platform, and Marks & Spencer canceled employee bonuses after a costly cyberattack. CISA also ordered emergency action on an actively exploited Check Point VPN flaw, and an NHS trust disclosed patient data theft linked to the Synnovis breach. Additionally, a romance-themed espionage campaign targeted Russian troops, and the ransomware group Qilin remained active in multiple attacks.
This content was automatically generated and/or translated by AI. It may contain inaccuracies. Please refer to the original sources for verification.